Emerging Markets Law

Showing 2 posts from September 2017.

GDPR: Good Defense = Prepared + Responsive!

If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union.

The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls.

The EU views privacy as a fundamental human right; it is enshrined that way in the EU constitution. In this way, regulators and citizens of the EU are far more attuned to personal privacy than most Americans. The new privacy rules carry potentially very steep penalties: fines for violations can amount to up to four percent of global revenue or 20 million Euros (whichever is greater).

General Data Protection Regulation in the EU

What Does the GDPR Require?

The GDPR is designed to give EU residents a standard measure of personal electronic privacy protection that has the same basic expectations no matter whether the individual is doing business with a French company, a Japanese company, or an American company. The tenets of the GDPR sound non-controversial: they involve notice, choice, and transparency (among other things).

At a minimum, this probably merits reviewing your privacy and employment policies to ensure that they fall in line with GDPR requirements of telling EU consumers what data you collect about them, what you do with it, and what rights they have to stop you (or to change their minds once they’ve given you their information).

Merely revising your policies and ensuring that you have a way to respond to consumer inquiries is not enough to be fully compliant with the GDPR, but it may be a reasonable approach if your exposure to the market is very limited. That decision should be made in consultation with your lawyer and possibly your cyber insurance carrier so that you can weigh the risks of non-compliance (or partial compliance) against the benefits and costs of compliance.

If you have significant dealings in the EU, you almost certainly need to do more. Reviewing and documenting your company’s practices regarding data collection and use, designing privacy-aware interfaces for new products and services, establishing server locations so as to keep data local: all of these examples may be or become an important part of your GDPR readiness, because minimizing the data maintained on EU consumers and not moving it to jurisdictions that lack the EU’s protections are key policy aims of the GDPR.

Does it Apply to Me?

If you have customers, employees, or even vendors in the EU, and you interact with their personal data in electronic fashion, you may be subject to the GDPR. The rules apply if you offer goods or services to EU residents and/or if you monitor them. Cookies and other common Web tracking devices are considered a form of monitoring.

This has important implications for how you design your online and data flow practices, both consumer-facing and internal. Also, the EU definition of “personal information” is far broader than anything used in the U.S. It means anything that can be used to identify a person, not just specific information about a specific person. IP addresses, for example, are “personal information” within the EU definition – not just tax ID numbers, email addresses, and so forth.

What Should I Do?

The first step for any company is awareness: knowing whether you have dealings with EU residents, and what information you collect and use regarding them, will tell you whether you need to undertake a compliance discussion with your cyber counsel and carrier.

After that, ensuring that your company makes personal privacy a priority, both internally and externally, is high on the GDPR list. Unfortunate happenings like the Equifax and SEC breaches announced in September of 2017, combined with EU suspicion of U.S. electronic surveillance measures, will ensure that U.S. companies have to justify themselves to a skeptical regulator if they ever face their own issues.

Reflections on the Equifax Hack

The Equifax hack announced on September 7, 2017, is very scary, and a reminder to lock up the company jewels. Most companies, however, will never face a catastrophic event involving an outside, malicious attack on the very core of their business.Reflections on Equifax Hack

Instead, consider the following scenarios:

  • An employee erroneously distributes the social security numbers and other personal information of every employee in the company;
  • A customer’s email is hacked, resulting in your company receiving a fraudulent - but authentic-looking - set of instructions to wire payment to a specific bank account. The money disappears as soon as it hits the fake account; and
  • Someone (unclear whether internal or external) gets into your company HR system and cracks several accounts, changing employee direct deposit information and locking employees out of their email.

I've gotten calls about each of these three situations just this week.

What would you do if this were your company? None of these is a catastrophic event, but every one of them involves disruption, investigation, acrimony, and significant amounts of time and money to resolve.

For a company that lacks the resources of Equifax, a seemingly small event like this could become catastrophic: your insurance might not pay; your customers might walk; your bank account might be compromised. On a smaller but still disruptive scale, you could become mired in reactive work (investigation, legal follow-up, relationship repair with customers and employees, HR actions) for weeks or even months.

Now think about a “minor” event like this, but where the information compromised is your company's core asset. That really would be catastrophic. And the plain truth is that these “minor” events are often preventable, or at least there is advance planning that could mitigate their impact. This is in plain contrast to the Equifax situation, where advance planning may or may not be enough to protect the plum assets of a high-value target from sophisticated actors.

Cyber and information security planning are not a purely defensive play. Investing in and planning for the security of your corporate assets – whether the company’s “secret sauce” or not – is a key offensive move for any organization.

If you're a growing company, investing in the integrity of your assets helps establish your value to potential buyers and investors.

If you're already at scale, planning and investment helps maintain it by allowing you to distribute and spend your profits for the benefit of your shareholders and your operations, rather than on reactive clean-up.

The legal exposure issues of a breach are real, but avoiding legal risk is not the primary result of planning done right. 

#cyberforgrowth #cyberasoffense


Stay Connected

Subscribe to blog updates via email